Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules
-
- UpdatedJan 30, 2025
- 2 minutes to read
- Yokohama
- Vulnerability Response
Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules
Take steps to help prevent duplicate or orphan records resulting from matching (configuration items (CIs) within the CMDB.
Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. Thorough testing and debugging of processing scripts in the rules helps alleviate the potential of issues later in the process.
Preventing duplicate or orphaned records
- Use small subsets of data that are specific to the CI Lookup Rule being tested.
- Set all CI Lookup Rules, other than the one being tested, to Inactive.
- Analyze the imported CIs to ensure that you are observing the expected behavior and matching is occurring properly.
- Review Matched CIs
- Examine the count of matched vs unmatched CIs. Ensure that the percentage is acceptable. Don’t just look at the first page, that is likely the first one inserted.
- Manually search for some CIs.
- Check to see if there are any naming or field problems (such as searching for a
specific domain).
If it seems appropriate, add additional matching rules.
- Review Unmatched CIs
- Navigate to the Unmatched CIs table.
- Group by Configuration Item class.
- Review any classes that don’t look right (certificates, network cards, images).
- Figure out why didn’t they match the correct CI?
- Should the class be excluded?
- Should the class be elevated to a related class?
- Review CI states such as Retired.
- Remove Test Data
- Once you begin to observe the correct or expected behavior in CI matching, start over.
- Start over by: Deleting the data used for testing: (see the Deleting
data from tables section)
- Discovered Items
- Vulnerable Items
- Remediation tasks
- Manually rerunning all the CI Matching rules.
For more information on CI Lookup Rules and Qualys, see the KB0750656 article.
For more information on CI Lookup Rules and Rapid7, see the KB0818096.
Deleting data from tables
- Using Delete All Records on Table Configuration.
- Configure the Table Cleaner by navigating to Auto Flushes (sys_auto_flush.list) and creating a new Auto-flush record.
- Truncate the gs.truncateTable using a background script.
Using truncateTable requires turning off the record for rollback check box in the background scripts. Otherwise, a copy of the table and related cascade tables are created, take too long, and most likely fail.
Note: Never use truncateTable in a production environment. Consult you Support representative before executing large deletions in production or shared environments.
Related Content
- View and reclassify unmatched configuration items
Configuration items (CIs) that are not found in the Configuration Management Database (CMDB) are placed in a viewable list of discovered items. This list offers a convenient way to reclassify unmatched CIs.
- Reapply CI Lookup Rules Enhancements
Reapply the configuration item (CI) lookup rules on selected discovered items like os and netbios.
- Reapply CI lookup rules on selected discovered items
Reapply the configuration item (CI) lookup rules on selected discovered items from the discovered item list view select actions. If the CI changes after you reapply the rules, the discovered items are updated with the new CI and impacted detections. Vulnerable items are also updated.
- De-duplicating existing configuration items
Whenever configuration items (CIs) are updated through a deduplication task, the discovered items (DIs) that are related to those CIs are also updated. The vulnerable items (VIs) and detections are also updated with the CI.